{"id":2676,"date":"2013-10-24T00:01:00","date_gmt":"2013-10-24T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/10\/24\/use-powershell-to-update-windows-defender-signatures\/"},"modified":"2013-10-24T00:01:00","modified_gmt":"2013-10-24T00:01:00","slug":"use-powershell-to-update-windows-defender-signatures","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-update-windows-defender-signatures\/","title":{"rendered":"Use PowerShell to Update Windows Defender Signatures"},"content":{"rendered":"<p><strong>Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1 to update Windows Defender signatures.<\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Well, it is nearly time. Tomorrow the Scripting Wife and I leave for Atlanta for <a href=\"http:\/\/powershellsaturday.com\/005\/\" target=\"_blank\">Windows PowerShell Saturday<\/a>. Obviously, Windows PowerShell Saturday begins on a Saturday&mdash;it is just that we are leaving on Friday because it is a pretty good drive from Charlotte to Atlanta and it is nearly impossible to fly to Atlanta from Charlotte. With a two-hour check-in rule, an hour drive to the airport, and then being on the wrong side of Atlanta after completing the 50-minute flight, it is actually faster to drive to Atlanta than to fly. It&rsquo;s just one of those things. Mark Schill has done a fine job lining up a very strong program. It will be educational, fun, informative, and practical&mdash;a great combination. There are still some seats available, so the signup is still open. The event is being held in the <a href=\"http:\/\/www.microsoft.com\/about\/companyinformation\/usaoffices\/southeast\/en\/us\/alpharetta.aspx\" target=\"_blank\">Microsoft Office in Alpharetta<\/a>, which is a really nice venue.<\/p>\n<p><strong>Note<\/strong> &nbsp;This is the third part in a series about the Windows Defender module in Windows&nbsp;8.1.<\/p>\n<ul>\n<li>For basic information about the Windows Defender module, please see <a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/22\/exploring-the-windows-defender-catalog.aspx\" target=\"_blank\">Exploring the Windows Defender Catalog<\/a>.<\/li>\n<li>For information about how to interpret Windows Defender preferences, see<em> <\/em><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/23\/use-powershell-to-explore-windows-defender-preferences.aspx\" target=\"_blank\">Use PowerShell to Explore Windows Defender Preferences<\/a>.<\/li>\n<\/ul>\n<p>One of the really cool things about Windows&nbsp;8.1 is the Windows Defender module. It answers a common question that I receive, &ldquo;How can I update my antimalware signature, and how can I initiate a scan?&rdquo;<\/p>\n<p>Both of these tasks are easy to do by using the built-in Windows Defender module for Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1. Because Windows Defender is much more than just an antivirus feature, I am always interested in more than when the antivirus signature was last updated. In fact, I am not always sure what all the names of the different things are, but if I am using Windows PowerShell it does not matter. I use a wildcard character to pick up all of the last updates and all of the package versions. Here is the command I use:<\/p>\n<p style=\"padding-left: 30px\">Get-MpComputerStatus | select *updated, *version<\/p>\n<p>The command and the output associated with the command are shown here.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5633.HSG-10-24-13-01.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5633.HSG-10-24-13-01.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<h2>Updating the signatures<\/h2>\n<p>Updating the antimalware signatures goes really fast. I mean really, really fast. At least on my computer, it goes fast. A standard Windows PowerShell progress bar appears and then disappears. Because I know things go fast, I captured a screenshot of the progress bar:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5543.HSG-10-24-13-02.png\"><img decoding=\"async\" title=\"Image of progress bar\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5543.HSG-10-24-13-02.png\" alt=\"Image of progress bar\" \/><\/a><\/p>\n<p>After I updated my signatures, I ran my previous command to ensure that things did update. As shown here&hellip;yep, at least one item updated.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2273.HSG-10-24-13-03.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2273.HSG-10-24-13-03.png\" alt=\"Image of command output\" width=\"450\" height=\"190\" \/><\/a><\/p>\n<h2>Kicking off a scan<\/h2>\n<p>Now that I have updated my antimalware signatures, it is a good time to kick off a scan. The cool thing about the <strong>Start-MpScan<\/strong> function is that it is really powerful. I can kick off the following types of scans:<\/p>\n<ul>\n<li>FullScan<\/li>\n<li>QuickScan<\/li>\n<li>CustomScan<\/li>\n<\/ul>\n<p>In addition, I can specify the path for the scan. The path can be a file, a folder, or even a remote UNC path. The folder can be a drive root such as C:\\.<\/p>\n<p>I am going to kick off a quick scan. To do this, I use the following command:<\/p>\n<p style=\"padding-left: 30px\">Start-MpScan -ScanType quick<\/p>\n<p>The command produces a Windows PowerShell progress bar that lets me know how things are going. This time, it does not go really quickly, but it is over in less than a minute.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3426.HSG-10-24-13-04.png\"><img decoding=\"async\" title=\"Image of progress bar\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3426.HSG-10-24-13-04.png\" alt=\"Image of progress bar\" \/><\/a><\/p>\n<p>I can use the Windows Defender tool to verify that I did in fact kick off a quick scan. I open the tool by typing <em>defender<\/em> at the Windows 8.1 Start screen. Search realizes what I want to do, and opens the tool. The output is shown here.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5037.HSG-10-24-13-05.png\"><img decoding=\"async\" title=\"Image of menu\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5037.HSG-10-24-13-05.png\" alt=\"Image of menu\" \/><\/a><\/p>\n<p>I have to tell you, this is all really cool. I have spoken about doing this interactively and locally to introduce the functions that are available through the Windows Defender module for Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1. Keep in mind that this is just the beginning because this is Windows PowerShell.<\/p>\n<p>This means that I can create CIM sessions to remote computers and run these functions remotely. I can use the Windows PowerShell Job Scheduler to kick off the scans at a certain time. The other thing that is cool is that the Windows Defender logs the advanced diagnostic logs, and I can use <strong>Get-WinEvent<\/strong> to query these. In the Event Viewer, the log is located under Applications and Services Logs\/Microsoft\/Windows\/Windows Defender. There are two logs in that location as shown here.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4571.HSG-10-24-13-06.png\"><img decoding=\"async\" title=\"Image of menu\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4571.HSG-10-24-13-06.png\" alt=\"Image of menu\" \/><\/a><\/p>\n<p>That is all there is to using Windows PowerShell to update Windows Defender signatures and to kick off a scan. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1 to update Windows Defender signatures. Microsoft Scripting Guy, Ed Wilson, is here. Well, it is nearly time. Tomorrow the Scripting Wife and I leave for Atlanta for Windows PowerShell Saturday. Obviously, Windows PowerShell Saturday begins on a Saturday&mdash;it is just that we [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[459,460,3,63,461,45],"class_list":["post-2676","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-defender","tag-powershell-4","tag-scripting-guy","tag-security","tag-windows-8-1","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1 to update Windows Defender signatures. Microsoft Scripting Guy, Ed Wilson, is here. Well, it is nearly time. Tomorrow the Scripting Wife and I leave for Atlanta for Windows PowerShell Saturday. Obviously, Windows PowerShell Saturday begins on a Saturday&mdash;it is just that we [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2676"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2676\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}